Saturday, May 24, 2025
Follow us On Linkedin
HomeCyber Security NewsBeware of Weaponized Office Documents that Deliver VenomRAT

Beware of Weaponized Office Documents that Deliver VenomRAT

Cyber Security NewsMalware

Published on

By Tushar Subhra
Beware of Weaponized Office Documents that Deliver VenomRAT

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Since office documents are often used in business communications, hackers take advantage of this fact to disseminate malicious malware easily.

Hackers can mislead users into unintentionally activating malware by hiding it in documents that appear to be safe, which gives the malware access to systems and networks.

Cybersecurity researchers at AhnLab Security Intelligence Center (ASEC) recently identified that hackers have been actively exploiting the weaponized Office documents to deliver VenomRAT.

- Advertisement - Google News
Document
Free Trial

Streaming Malware Service

Open Suspicious Files & Links in the ANY RUN Sandbox Safely; Try All Features for Free. Understand malware behavior, collect IOCs, and easily map malicious actions to TTPs — all in our interactive sandbox.

Office Documents Deliver VenomRAT

ASEC discovered a malicious shortcut file, ‘Survey.docx.lnk,’ which delivers VenomRAT (AsyncRAT), and it’s disguised as a legit Word file that is bundled in a compressed file with a genuine text file. 

The attack uses ‘blues.exe’ masked as a Korean company’s certificate, which urges caution. The LNK file executes malicious commands connecting to an external URL through “mshta.” The decoded URL reveals PowerShell commands downloading files to %appdata%. 

The downloaded ‘qfqe.docx’ seems innocent, but ‘blues.exe’ is a malware downloader. Executing it downloads additional scripts through PowerShell, including ‘sys.ps1,’ which further fetches data from ‘adb.dll’ in a fileless format. 

Besides this, the ‘adb.dll’ contains an encoded shellcode decrypted by XORing Base64 with the ‘sorootktools’ string.

Operation process (Source - ASEC)
Operation process (Source – ASEC)

The executed shellcode by VenomRAT (AsyncRAT) conducts the following things:-

  • Keylogging
  • PC info leaks
  • Obeys threat actor commands

The malicious shortcut files resembling legit documents actively spread and demand user vigilance due to the hidden ‘.lnk’ extension.

IoCs

File Detection

  • Trojan/LNK.Runner (2024.01.16.00)
  • Trojan/HTML.Agent.SC196238 (2024.01.17.00)
  • Trojan/Win.Generic.C5572807 (2024.01.12.03)
  • Trojan/PowerShell.Agent (2024.01.17.00)
  • Trojan/Win.Generic.C5337844 (2022.12.21.00)

Behavior Detection

  • Execution/MDP.Powershell.M2514

MD5

  • 2dfaa1dbd05492eb4e9d0561bd29813b
  • f57918785e7cd4f430555e6efb00ff0f
  • e494fc161f1189138d1ab2a706b39303
  • 2d09f6e032bf7f5a5d1203c7f8d508e4
  • 335b8d0ffa6dffa06bce23b5ad0cf9d6

C&C

  • hxxp://194.33.191[.]248:7287/docx1.hta
  • hxxp://194.33.191[.]248:7287/qfqe.docx
  • hxxp://194.33.191[.]248:7287/blues.exe
  • hxxp://194.33.191[.]248:7287/sys.ps1
  • hxxp://194.33.191[.]248:7287/adb.dll
  • 194.33.191[.]248:4449
Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

cyber security

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...
cyber security

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...
cyber security

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...
cyber security

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

Register Now

More like this

cyber security

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...
cyber security

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...
cyber security

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved